WO2023155697A1 - Procédé et appareil de traitement de données - Google Patents
Procédé et appareil de traitement de données Download PDFInfo
- Publication number
- WO2023155697A1 WO2023155697A1 PCT/CN2023/074419 CN2023074419W WO2023155697A1 WO 2023155697 A1 WO2023155697 A1 WO 2023155697A1 CN 2023074419 W CN2023074419 W CN 2023074419W WO 2023155697 A1 WO2023155697 A1 WO 2023155697A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- program
- library
- target
- vulnerability repair
- vulnerability
- Prior art date
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 13
- 238000000034 method Methods 0.000 claims abstract description 47
- 230000008439 repair process Effects 0.000 claims description 174
- 238000004590 computer program Methods 0.000 claims description 20
- 238000012795 verification Methods 0.000 claims description 19
- 238000012545 processing Methods 0.000 claims description 15
- 238000003860 storage Methods 0.000 claims description 8
- 238000009826 distribution Methods 0.000 abstract description 11
- 238000005067 remediation Methods 0.000 abstract description 6
- 230000009545 invasion Effects 0.000 abstract description 4
- 230000008569 process Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 10
- 230000007246 mechanism Effects 0.000 description 5
- 238000002955 isolation Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 239000003795 chemical substances by application Substances 0.000 description 2
- 239000007943 implant Substances 0.000 description 2
- 230000008685 targeting Effects 0.000 description 2
- 230000008260 defense mechanism Effects 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000008263 repair mechanism Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/07—Responding to the occurrence of a fault, e.g. fault tolerance
- G06F11/0703—Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
- G06F11/0793—Remedial or corrective actions
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/70—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
- G06F21/71—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information
- G06F21/74—Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure computing or processing of information operating in dual or compartmented mode, i.e. at least one secure mode
Definitions
- the present invention relates to the field of computer technology, in particular to a data processing method and device.
- the Linux operating system is one of the most used operating systems, and the Linux operating system distribution has expanded from several in the traditional IT security field to dozens or even hundreds. Due to the diversity of distributions, Traditional vulnerability repair methods are difficult to apply.
- the first memory space create a second memory space for target intrusion and loader, and configure a second running environment that is isolated from the first running environment of the first program; wherein, the second memory space is only for the target loader and can be used by programs loaded by it;
- a bug repair library is loaded in the second memory space, and the bug repair library is used to repair the bug of the first program.
- the method before using the vulnerability repair library to repair the vulnerability of the first program, the method further includes:
- intrusion hook guidance information in the vulnerability repair library intrude into the content of the target location in the first program, And establish the hook relationship between the content of the target location and the vulnerability repair library;
- Use the vulnerability repair library to repair the vulnerability of the target location content including:
- the first program invokes the content at the target location, it is directed to the vulnerability repair library according to the hooking relationship, so as to repair the vulnerability of the content at the target location.
- the method before invading the content of the target location in the first program according to the intrusion hooking guidance information in the vulnerability repair library, and establishing the hook relationship between the content of the target location and the vulnerability repair library, the method further includes:
- the target intrusion and loader includes an intruder and a loader, the intruder is used to intrude and mount the first program, and the loader is used to create a second memory space, configure a second operating environment, and load a vulnerability repair library.
- the vulnerability remediation library is fetched from the cloud for the target intrusion and loader.
- the target device is an Internet of Things device
- the first program is a user mode program
- the vulnerability repair library acquisition module is used to load the target intrusion and loader into the first memory space of the first program, and obtain the vulnerability repair library for the first program through the target intrusion and loader;
- the second operating environment configuration module is used to create a second memory space for target intrusion and loader in the first memory space, and configure a second operating environment that is isolated from the first operating environment of the first program; wherein, The second memory space is only used by the target loader and programs that can be loaded by it;
- the vulnerability repair module is configured to load a vulnerability repair library in the second memory space based on the second operating environment, and use the vulnerability repair library to perform vulnerability repair on the first program.
- An electronic device includes a processor, a memory, and a computer program stored on the memory and capable of running on the processor.
- the computer program is executed by the processor, the above data processing method is realized.
- a computer-readable storage medium on which a computer program is stored, the computer A method for realizing data processing as described above when a computer program is executed by a processor.
- the target intrusion and loader by loading the target intrusion and loader into the first memory space of the first program deployed by the Linux operating system, and obtaining the vulnerability repair library for the first program through the target intrusion and loader, in In one memory space, create a second memory space for target intrusion and loader, and configure a second operating environment that is isolated from the first operating environment of the first program, and then based on the second operating environment, in the second memory space
- Load the vulnerability repair library and use the vulnerability repair library to repair the vulnerability of the first program, which realizes the vulnerability repair across Linux distributions, can be applied to different Linux distributions, and only needs to be compiled once, avoiding targeting each Linux distributions compile a different set of binaries, which reduces the difficulty of bug fixes.
- Fig. 1 is a flow chart of the steps of a data processing method provided by an embodiment of the present invention
- Fig. 2a is a schematic diagram of the internal operation of a program provided by an embodiment of the present invention.
- Fig. 2b is a schematic diagram of the internal operation of another program provided by an embodiment of the present invention.
- Fig. 2c is a schematic diagram of a patch download provided by an embodiment of the present invention.
- Fig. 2d is a schematic diagram of the internal operation of another program provided by an embodiment of the present invention.
- Fig. 2e is a schematic diagram of the internal operation of another program provided by an embodiment of the present invention.
- Fig. 3 is a flow chart of steps of another data processing method provided by an embodiment of the present invention.
- Fig. 4 is a flow chart of the steps of a data processing example provided by an embodiment of the present invention.
- Fig. 5 is a structural block diagram of a data processing device provided by an embodiment of the present invention.
- FIG. 1 it shows a flowchart of steps of a data processing method provided by an embodiment of the present invention
- the method can be applied to a target device running a Linux operating system
- the target device can be an Internet of Things device
- the Linux operating system The system can be deployed with a first program, that is, a host program.
- the first program is a protected program.
- the first program can be a user application program running on the Linux operating system, can be a command line tool, or can be a business-level application service or a program running in a container environment, that is, it is a user mode program, and Linux Programs in the operating system are divided into kernel state programs and user state programs.
- the kernel state program is maintained by the Linux open source team, which provides hardware encapsulation for the lower layer of the computer and a unified system call interface for user state programs. Difference shielding for network and file system.
- User-mode programs refer to applications based on the Linux kernel and developed by developers, such as browsers, communication software, image processing software, and camera software.
- Step 101 load the target intrusion and loader into the first memory space of the first program, and obtain a vulnerability repair library for the first program through the target intrusion and loader.
- the target intrusion and loader (LLIM, Linux Loading and Invasion Machine) can be a binary dynamic loader, which is a shared library that can be loaded together with the loading of the program in the operating system, and it can have two functions :
- LLIM can be used as an ordinary shared library independent of the binary link position, and can be loaded into the memory space of the program (ie, the first memory space) by the loader of the operating system.
- LLIM can be a loader with its own self-contained space (that is, the second memory space) and thread isolation mechanism, through which other programs can be loaded, such as security service programs, vulnerability repair libraries, and other programs can be threaded It runs in the process space of the host program (that is, the first program).
- LLIM Inside LLIM, it can provide a "thread isolation" mechanism to ensure that itself and other ELF shared libraries loaded by LLIM are in memory, and the thread context is completely independent from the execution flow of the host program. That is to say, when the executable code runs on the LLIM body or the memory code range of its loaded binary library, the thread stack, private variables, locks and other resources are independent and autonomous, which can ensure that LLIM and all ELFs loaded by it can run on any Linux hosting environment.
- a self-contained space isolated from the thread space of the host program can be created through the thread isolation mechanism (ie second memory space).
- the thread space of the host program can jump to executable programs, shared library entries, and code blocks in LLIM’s own space through Hook and address jump, export function call jump, dlopen interface jump, etc., created by LLIM and Linux environment
- An unrelated self-contained space can have thread-context-independent libraries, thread-context-independent code blocks, new threads created by LLIM.
- LLIM may include an intruder and a loader.
- the intruder can be used to intrude and mount the first program, and the loader can be used to create a second memory space, configure a second operating environment, and load a vulnerability repair library.
- the host program hooks the Linux intrusion loader LLIM core through binary intrusion, which intrudes and hooks (HOOK) any position of the executable code in the ELF memory of the heterogeneous Linux user mode, and deploys an additional and host program at the hook point
- An isolated (host context-independent) ELF loader for on-demand loading of shared libraries isolated from the host program context.
- the intruder in the LLIM core of the Linux intrusion loader can have Linked map Hook (for Android), Instrument Hook (for GNU Linux), Inline Hook (for all Linux instruction-level intrusions), and the loader can have ELF parse, Functions of address redirection and digital signature verification.
- the Linux operating system In the Linux operating system to be detected and repaired, implant the LLIM intrusion and loader, and allow it to be loaded into the first memory space of the first program when the first program in the system starts running, and continue to survive in the first program In a program body, specifically, before the first program runs, the Linux operating system will be responsible for loading the required shared library for it, and LLIM can be loaded into the process space of the first program in the form of a shared library.
- the vulnerability repair library is obtained by LLIM from the cloud.
- LLIM can link to the cloud binary vulnerability patch library through the network. Once a new patch repair push is received from the vulnerability repair library, it will immediately download the repair patch to the vulnerability repair library.
- the developer develops a vulnerability repair patch according to the CVE repair suggestion, and then the publisher signs the patch and uploads it to the cloud, and then downloads and deploys it by the device equipped with the general Linux binary vulnerability repair Agent of the present invention Bugfix patches.
- the target binary can be completed by implanting a vulnerability scanning agent inside the Linux system.
- Control object executable program, shared library
- CVE Common Vulnerabilities & Exposures, Common Vulnerabilities Exposures, common vulnerability exposure
- vulnerability library information are matched one by one, and the mechanism of vulnerability generation and some repair suggestions can be retrieved from the CVE information.
- repair patch developers can develop repair patches in a targeted manner.
- the repair logic needs to completely replace or partially replace the executable code with vulnerabilities, or modify the parameters and return values of the code. A series of bounds checks.
- the vulnerability repair patch After the vulnerability repair patch is developed, build it in combination with the specific libc environment supported by LLIM to generate a dynamically linked shared library, and then add intrusion hook guidance information to it, which can be used to indicate the first time to be repaired at runtime Programs perform intrusive hooking.
- Step 102 in the first memory space, create a second memory space for target intrusion and loader, and configure a second running environment that is isolated from the first running environment of the first program; wherein, the second memory space is only for Used by object loaders and programs that can be loaded by them.
- LLIM For LLIM, it can create a second memory space for LLIM in the first memory space.
- the second memory space is only used by LLIM and programs that can be loaded by it, that is, the self-contained space of LLIM.
- the self-contained space is loaded by the Linux process A namespace created by the compiler to conform to its own libc library link, in which it only loads shared library files in a specific directory for the application.
- a second operating environment isolated from the first operating environment of the first program can be configured, which can include linking shared libraries, initializing thread context, starting threads, etc.
- Initializing thread context can include stack, thread private Initialization of variables, devices, and memory management.
- Step 103 based on the second operating environment, load the vulnerability repair library in the second memory space, and use the vulnerability repair library to repair the bug of the first program.
- the vulnerability repair library before using the vulnerability repair library to repair the vulnerability of the first program, it may also include: intruding into the content of the target location in the first program according to the intrusion hooking guidance information in the vulnerability repair library, and establishing The attachment relationship between the content of the target location and the vulnerability repair library.
- using the vulnerability repair library to repair the vulnerability of the target location content may include: when the first program calls the target location content, guide to the vulnerability repair library according to the hook relationship to repair the target location content Make bug fixes.
- the intrusion hook guidance information may include the repair target library name, the repair target function symbol Name, repair target mount address (that is, target location content), patch function entry symbol name and address.
- the vulnerability repair library After the vulnerability repair library is downloaded, you can read the binary intrusion hook guidance information in it, and accurately intrude the content of the target location in the first program according to the intrusion hook guidance information, and you can establish a link between the target location content and the vulnerability repair library. connection.
- the vulnerability repair library can be loaded in it, and the logic of intrusion and hooking can be guided to execute in the logic of the vulnerability repair library, overwriting Delete the original business logic with loopholes in the content of the target location in the first program.
- the flow of the host program ie, the first program
- the flow of the host program ie, the first program
- the intrusion hooking guidance information in the vulnerability repair library before intruding into the content of the target location in the first program according to the intrusion hooking guidance information in the vulnerability repair library, and before establishing the attachment relationship between the content of the target location and the vulnerability repair library, it may further include:
- the vulnerability repair library can use the digital signature generation tool to digitally sign the private key pair of the RSA system, put the signature information into the digital signature section, and use the LLIM public key for decryption and signature verification at runtime to prevent patch forgery.
- LLIM can read the content of the digital signature section of the patch library, and use the built-in public key to perform signature verification, and perform subsequent operations after the verification is passed.
- the target Linux host program body i.e. the first program triggers the starting point of the program to run the program.
- the code with vulnerabilities i.e. the content of the target location
- the loader LLIM can be invaded through Linux
- the core calls the vulnerability repair component in an operating environment that has nothing to do with the host context.
- the vulnerability repair component can repair the vulnerability with the vulnerability repair code in the vulnerability repair library. After the repair is completed, it can return to the subsequent code of the target Linux host program body.
- the vulnerability repair patch parser in the vulnerability repair component can parse the patch files in the vulnerability repair library, and then can guide the intrusion.
- the Linux intrusion loader LLIM core binary The intruder can invade the vulnerable code in the host program with vulnerabilities, and the process is hooked to the vulnerability repair patch deployer in the vulnerability repair component.
- the vulnerability repair patch deployer is used to guide the process to the vulnerability repair library, and the binary loading in the Linux intrusion loader LLIM core
- the compiler can load the vulnerability fix library.
- the vulnerability repair component includes a vulnerability repair patch parser and a patch deployer.
- the vulnerability repair patch interpreter is an ELF file interpreter, which can interpret the information of each segment and section according to the ELF file header, and the patch deployer will be in After LLIM loads the vulnerability repair patch library, it jumps and guides the logical address of the target to be repaired, so as to realize the jump from the vulnerable program to the patch program.
- the target intrusion and loader by loading the target intrusion and loader into the first memory space of the first program deployed by the Linux operating system, and obtaining the vulnerability repair library for the first program through the target intrusion and loader, in In one memory space, create a second memory space for target intrusion and loader, and configure a second operating environment that is isolated from the first operating environment of the first program, and then based on the second operating environment, in the second memory space
- Load the vulnerability repair library and use the vulnerability repair library to repair the vulnerability of the first program, which realizes the vulnerability repair across Linux distributions, can be applied to different Linux distributions, and only needs to be compiled once, avoiding targeting each Linux distributions compile a different set of binaries, which reduces the difficulty of bug fixes.
- FIG. 3 shows a flowchart of steps of another data processing method provided by an embodiment of the present invention, which may specifically include the following steps:
- Step 301 load the target intrusion and loader into the first memory space of the first program, and obtain a vulnerability repair library for the first program through the target intrusion and loader.
- the Linux operating system In the Linux operating system to be detected and repaired, implant the LLIM intrusion and loader, and allow it to be loaded into the first memory space of the first program when the first program in the system starts running, and continue to survive in the first program In a program body, specifically, before the first program runs, the Linux operating system will be responsible for loading the required shared library for it, and LLIM can be loaded into the process space of the first program in the form of a shared library.
- the vulnerability repair library is obtained by LLIM from the cloud.
- LLIM can link to the cloud binary vulnerability patch library through the network. Once a new patch repair push is received from the vulnerability repair library, it will immediately download the repair patch to the vulnerability repair library.
- Step 302 using the preset public key information to perform signature verification on the vulnerability repair library.
- the vulnerability repair library can use the digital signature generation tool to digitally sign the private key pair of the RSA system, put the signature information into the digital signature section, and use the LLIM public key for decryption and signature verification at runtime to prevent patch forgery.
- LLIM can read the content of the digital signature section of the patch library, and use the built-in public key to perform signature verification, and perform subsequent operations after the verification is passed.
- Step 303 After the signature verification is passed, intrude into the content of the target location in the first program according to the intrusion hooking guidance information in the vulnerability repair library, and establish a hook relationship between the content of the target location and the vulnerability repair library.
- the intrusion mount guidance information may include repair target library name, repair target function symbol name, repair target mount address (ie target location content), patch function entry symbol name and address.
- the vulnerability repair library After the vulnerability repair library is downloaded, you can read the binary intrusion hook guidance information in it, and accurately intrude the content of the target location in the first program according to the intrusion hook guidance information, and you can establish a link between the target location content and the vulnerability repair library. connection.
- Step 304 in the first memory space, create a second memory space for target intrusion and loader, and configure a second running environment that is isolated from the first running environment of the first program; wherein, the second memory space is only used for Used by object loaders and programs that can be loaded by them.
- LLIM For LLIM, it can create a second memory space for LLIM in the first memory space.
- the second memory space is only used by LLIM and programs that can be loaded by it, that is, the self-contained space of LLIM.
- the self-contained space is loaded by the Linux process A namespace created by the compiler to conform to its own libc library link, in which it only loads shared library files in a specific directory for the application.
- a second operating environment isolated from the first operating environment of the first program can be configured, which can include linking shared libraries, initializing thread context, starting threads, etc.
- Initializing thread context can include stack, thread private Initialization of variables, devices, and memory management.
- Step 305 based on the second operating environment, load the vulnerability repair library in the second memory space, and guide to the vulnerability repair library according to the hook relationship when the first program calls the target location content, so as to perform vulnerability repair on the target location content .
- the vulnerability repair library can be loaded in it, and the logic of intrusion and hooking can be directed to Execute in the logic of the vulnerability repair library to overwrite the original business logic with loopholes in the content of the target location in the first program.
- Step 306 after the vulnerability repair is completed, return to the execution flow of the first program.
- the flow of the host program ie, the first program
- the flow of the host program ie, the first program
- FIG. 4 The embodiment of the present invention is illustrated below in conjunction with FIG. 4:
- the vulnerability repair component discovers the deployment of the vulnerability repair patch, performs digital signature verification on it, and after passing the digital signature verification, parses the intrusion guidance information (that is, the intrusion mount guidance information), and then instructs the LLIM intruder to treat the repair point (that is, the target location content) for intrusive hooking.
- the LLIM intruder invades and hooks the target program (namely the first program) that has a vulnerability.
- the vulnerability repair component guides the LLIM loader to load the vulnerability repair patch and perform thread isolation.
- the actual execution process of the target program with vulnerabilities at the vulnerability utilization logic jumps to the vulnerability repair logic, the vulnerability repair patch executes the repair, and returns to the target program after the repair is completed.
- the mounting technology adopted combines the three schemes of Link map, Instrument, and Inline, which can effectively invade the ELF of any Linux system, and can resist the RELRO defense mechanism such as the Android process.
- Vulnerability repair patch development is simple, you only need to manually develop patches according to the CVE vulnerability mechanism and repair suggestions. And the compilation environment is unified, and there is no need to cross-distribution Linux compilation environments (such as cross-development environments and tool chains such as GNULinux, Android, and OpenWRT).
- cross-development environments and tool chains such as GNULinux, Android, and OpenWRT.
- LLIM monitors the patch information online in real time, and can perform hot loading based on memory ELF modification. The process does not restart and the device does not shut down, which greatly facilitates the use of IoT devices.
- FIG. 5 it shows a schematic structural diagram of a data processing device provided by an embodiment of the present invention.
- the device can be applied to a target device running a Linux operating system.
- the Linux operating system can be deployed with a first program, which can specifically include The following modules:
- the vulnerability repair library acquisition module 501 is configured to load the target intrusion and loader into the first memory space of the first program, and obtain the vulnerability repair library for the first program through the target intrusion and loader.
- the second operating environment configuration module 502 is configured to create a second memory space for target intrusion and loader in the first memory space, and configure a second operating environment that is mutually isolated from the first operating environment of the first program; wherein , the second memory space is only used by the object loader and programs that can be loaded by it.
- the vulnerability repair module 503 is configured to load a vulnerability repair library in the second memory space based on the second operating environment, and use the vulnerability repair library to repair the bug of the first program.
- An attachment relationship establishing module is used for invading the content of the target location in the first program according to the intrusion attachment guidance information in the vulnerability repair library, and establishing an attachment relationship between the content of the target location and the vulnerability repair library.
- the vulnerability repair module 503 may include:
- the attachment location repairing submodule is used to guide to the vulnerability repair library according to the attachment relationship when the first program calls the target location content, so as to perform vulnerability repair on the target location content.
- the return execution module is used to return to the execution flow of the first program after the vulnerability repair is completed.
- the signature verification module is used to use the preset public key information to perform signature verification on the vulnerability repair library; after the signature verification is passed, call the hook relationship establishment module.
- the target intrusion and loader includes an intruder and a loader, the intruder is used to intrude and mount the first program, and the loader is used to create a second memory space, configure a second operating environment, and load Bugfix library.
- the vulnerability repair library is obtained from the cloud by the target intrusion and loader.
- the first program is a user mode program.
- An embodiment of the present invention also provides an electronic device, which may include a processor, a memory, and a computer program stored in the memory and capable of running on the processor.
- a computer program stored in the memory and capable of running on the processor.
- An embodiment of the present invention also provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the above data processing method is realized.
- the description is relatively simple, and for related parts, please refer to the part of the description of the method embodiment.
- embodiments of the present invention may be provided as methods, devices, or computer program products. Accordingly, embodiments of the invention may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, embodiments of the invention may take the form of a computer program product embodied on one or more computer-usable storage media (including but not limited to disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
- computer-usable storage media including but not limited to disk storage, CD-ROM, optical storage, etc.
- Embodiments of the present invention are described with reference to flowcharts and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the present invention. It should be understood that each procedure and/or block in the flowchart and/or block diagram, and a combination of procedures and/or blocks in the flowchart and/or block diagram can be realized by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded processor or processor of other programmable data processing terminal equipment to produce a machine such that instructions executed by the computer or processor of other programmable data processing terminal equipment Produce means for realizing the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
- These computer program instructions may also be stored in a computer-readable memory capable of directing a computer or other programmable data processing terminal to operate in a specific manner, such that the instructions stored in the computer-readable memory produce an article of manufacture comprising instruction means, the The instruction means implements the functions specified in one or more procedures of the flowchart and/or one or more blocks of the block diagram.
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Quality & Reliability (AREA)
- Mathematical Physics (AREA)
- Computing Systems (AREA)
- Stored Programmes (AREA)
Abstract
Des modes de réalisation de la présente invention concernent un procédé et un appareil de traitement de données, appliqués à un dispositif cible exécutant un système d'exploitation Linux. Un premier programme est déployé dans le système d'exploitation Linux. Le procédé consiste à : charger une machine de chargement et d'invasion cible dans un premier espace de mémoire du premier programme et obtenir une bibliothèque de remédiation de vulnérabilité pour le premier programme au moyen de la machine de chargement et d'invasion cible ; dans le premier espace de mémoire, créer un second espace de mémoire pour la machine de chargement et d'invasion cible et configurer un second environnement d'exécution isolé d'un premier environnement d'exécution du premier programme, le second espace de mémoire étant uniquement utilisé par la machine de chargement cible et un programme qui peut être chargé par la machine de chargement cible ; et, sur la base du second environnement d'exécution, charger la bibliothèque de remédiation de vulnérabilité dans le second espace de mémoire et réaliser une remédiation de vulnérabilité sur le premier programme à l'aide de la bibliothèque de remédiation de vulnérabilité. Les modes de réalisation de la présente invention permettent d'obtenir une remédiation de vulnérabilité sur des distributions Linux, la présente invention est applicable à différentes distributions Linux et une seule compilation est nécessaire.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210138769.4 | 2022-02-15 | ||
CN202210138769.4A CN114595461B (zh) | 2022-02-15 | 2022-02-15 | 一种数据处理的方法和装置 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2023155697A1 true WO2023155697A1 (fr) | 2023-08-24 |
Family
ID=81806704
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2023/074419 WO2023155697A1 (fr) | 2022-02-15 | 2023-02-03 | Procédé et appareil de traitement de données |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN114595461B (fr) |
WO (1) | WO2023155697A1 (fr) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN114595462B (zh) * | 2022-02-15 | 2024-08-20 | 阿里云计算有限公司 | 一种数据处理的方法和装置 |
CN114595461B (zh) * | 2022-02-15 | 2024-07-16 | 阿里云计算有限公司 | 一种数据处理的方法和装置 |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20200311268A1 (en) * | 2019-03-29 | 2020-10-01 | Acronis International Gmbh | Methods and systems for performing a dynamic analysis of applications for protecting devices from malwares |
US20210026947A1 (en) * | 2019-07-22 | 2021-01-28 | Cloud Linux Software Inc. | Intrusion detection and prevention for unknown software vulnerabilities using live patching |
CN112906008A (zh) * | 2018-11-15 | 2021-06-04 | 百度在线网络技术(北京)有限公司 | 内核漏洞修复方法、装置、服务器及系统 |
CN114595462A (zh) * | 2022-02-15 | 2022-06-07 | 阿里云计算有限公司 | 一种数据处理的方法和装置 |
CN114595461A (zh) * | 2022-02-15 | 2022-06-07 | 阿里云计算有限公司 | 一种数据处理的方法和装置 |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7441113B2 (en) * | 2006-07-10 | 2008-10-21 | Devicevm, Inc. | Method and apparatus for virtualization of appliances |
US8286238B2 (en) * | 2006-09-29 | 2012-10-09 | Intel Corporation | Method and apparatus for run-time in-memory patching of code from a service processor |
CN104424442A (zh) * | 2013-08-26 | 2015-03-18 | 联想(北京)有限公司 | 一种保护数据的方法及电子设备 |
CN105868639A (zh) * | 2016-03-30 | 2016-08-17 | 百度在线网络技术(北京)有限公司 | 内核漏洞修复方法和装置 |
US10841328B2 (en) * | 2017-05-04 | 2020-11-17 | International Business Machines Corporation | Intelligent container resource placement based on container image vulnerability assessment |
CN110457909B (zh) * | 2019-08-15 | 2024-05-28 | 腾讯科技(深圳)有限公司 | 虚拟机内存的漏洞修复方法、装置及计算机设备 |
CN110795128B (zh) * | 2019-10-30 | 2023-10-27 | 上海米哈游天命科技有限公司 | 一种程序漏洞修复方法、装置、存储介质及服务器 |
CN111858004A (zh) * | 2020-07-21 | 2020-10-30 | 中国人民解放军国防科技大学 | 基于tee扩展的计算机安全世界实时应用动态加载方法及系统 |
-
2022
- 2022-02-15 CN CN202210138769.4A patent/CN114595461B/zh active Active
-
2023
- 2023-02-03 WO PCT/CN2023/074419 patent/WO2023155697A1/fr active Application Filing
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN112906008A (zh) * | 2018-11-15 | 2021-06-04 | 百度在线网络技术(北京)有限公司 | 内核漏洞修复方法、装置、服务器及系统 |
US20200311268A1 (en) * | 2019-03-29 | 2020-10-01 | Acronis International Gmbh | Methods and systems for performing a dynamic analysis of applications for protecting devices from malwares |
US20210026947A1 (en) * | 2019-07-22 | 2021-01-28 | Cloud Linux Software Inc. | Intrusion detection and prevention for unknown software vulnerabilities using live patching |
CN114595462A (zh) * | 2022-02-15 | 2022-06-07 | 阿里云计算有限公司 | 一种数据处理的方法和装置 |
CN114595461A (zh) * | 2022-02-15 | 2022-06-07 | 阿里云计算有限公司 | 一种数据处理的方法和装置 |
Also Published As
Publication number | Publication date |
---|---|
CN114595461A (zh) | 2022-06-07 |
CN114595461B (zh) | 2024-07-16 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2023155697A1 (fr) | Procédé et appareil de traitement de données | |
Altekar et al. | OPUS: Online Patches and Updates for Security. | |
US9195476B2 (en) | System and method for aggressive self-modification in dynamic function call systems | |
US9805188B2 (en) | Control flow integrity system and method | |
KR100965706B1 (ko) | 코드 재기입이 가능한 컴퓨터 장치 및 코드 재기입 방법 | |
Pfretzschner et al. | Identification of dependency-based attacks on node. js | |
US20170024230A1 (en) | Method, apparatus, and computer-readable medium for ofuscating execution of an application on a virtual machine | |
Dahse et al. | Code reuse attacks in php: Automated pop chain generation | |
US20150332043A1 (en) | Application analysis system for electronic devices | |
US20110078672A1 (en) | Classloading Technique for an Application Server that Provides Dependency Enforcement | |
WO2006133222A2 (fr) | Systeme d'injection de contrainte permettant de proteger des programmes logiciels contre des vulnerabilites et des attaques | |
JP2013511077A (ja) | 悪意ある実行環境内での静的および動的攻撃からJavaバイトコードを保護するシステムおよび方法 | |
EP3583536B1 (fr) | Définition sécurisée d'une composition de système d'exploitation sans création multiple | |
US20220391541A1 (en) | Software provenance validation | |
WO2023155686A1 (fr) | Procédé et appareil de traitement de données | |
Skowyra et al. | Systematic analysis of defenses against return-oriented programming | |
CN113760339B (zh) | 漏洞修复方法和装置 | |
US20110078659A1 (en) | Java-Based Application Server that Supports Multiple Component Models | |
Moriconi et al. | Reflections on trusting docker: Invisible malware in continuous integration systems | |
Drake | Exploiting Memory Corruption Vulnerabilities in the Java Runtime | |
Zhang et al. | Programming smart contract with solidity | |
Metula | Managed code rootkits: hooking into runtime environments | |
EP4167111B1 (fr) | Procédé et appareil de préparation de logiciel unique | |
Bishop | Improvements of User's Security and Privacy in a Web Browser | |
US20220413825A1 (en) | Immutable edge devices |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 23755700 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 18691837 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |